37 posts categorized "Legal"

29 January 2018

For a limited time, (ISC)² is excited to offer the opportunity for members to pilot an interactive, online, self-paced free CPE credit opportunity that incorporates a practical hands-on lab learning experience. This Cyber Forensics Incident Recovery lab is designed to provide you with a deeper understanding of how to extract evidence from a suspect’s hard drive. We are eager to offer this course, which includes demonstrations, hands-on lab practical application and concludes with an assessment to ensure understanding of the learning objectives. You’ll learn key concepts, watch demos, work through the hands-on lab and test your knowledge. Following completion of...
Read more →

29 June 2017

By Yves Le Roux, CISSP, CISM, Co-Chair, Europe, Middle East and Africa Advisory Council (EAC) Recently our GDPR Task Force has found that despite efforts to prepare for the incoming regulation, many practitioners are finding that there is actually a lot more to do than originally anticipated, and are still in “discovery mode” about what data they hold. Data being fragmented and contained within individual business units means that knowing where data sets reside and mapping their flow is proving challenging. Businesses have just realised the mammoth task ahead of them Many businesses are still stuck in the initial stages...
Read more →

27 January 2017

Yves Le Roux, co-chair and public policy workgroup lead, (ISC)2 EMEA Advisory Council This Saturday marks the 10th anniversary for Data Protection Day, celebrated each year on 28 January – which is the date the Council of Europe’s data protection convention, known as “Convention 108”, was established. Data Protection Day, known as Privacy Day outside of Europe, is now celebrated globally, raising awareness of people’s rights as they relate to the automatic processing of their data. Each year, events are held around the world to both arm citizens with the information they need to understand and protect their rights, while...
Read more →

25 January 2017

Yes, you did read the headline right. It is the conclusion of a United Kingdom’s Government review (Cyber security regulation and incentives review) published right at the end of 2016. Here, the UK Government concludes that the EU General Data Protection Regulation (GDPR), with its reporting requirements and financial penalties represents a significant call to action, so no further regulation is required at this time. This decision is to be applauded for four reasons. First, many UK-based organisations are also having to prepare for the European Union Network Information Security (NIS) Directive. Both NIS and GDPR are placing significant resource...
Read more →

21 November 2016

The intent to enforce… something quite significant actually. A first read and review of the news coverage around the United Kingdom’s (U.K.) new Cybersecurity Strategy earlier this month left many believing that there is little to report on cybersecurity from their new government. The initiatives articulated and the funding levels had already been publically discussed throughout the year, while any new intentions expressed in the strategy lacked detail. My initial reaction was disappointment that Teresa May’s government did not see fit to add new funds to the £1.9 billion committed by the previous Chancellor in November last year. Given that...
Read more →

15 November 2016

The 2016 Americas Information Security Leadership Awards (ISLA®) were held in conjunction with (ISC)²’s Security Congress in Orlando, Florida in September. Jennifer Chermoshyuk, paralegal – media and technology practices, legal holds manager at the law firm of Davis Wright Tremaine in Seattle, WA was named the winner of the Up-and-Coming Information Security Professional Award. Jennifer, an alumna of the University of Washington, holds a bachelor’s degree in political science, as well as a certificate in information security and risk management from the university. The title “paralegal” may seem unique for an information security professional, but Jennifer has more than 15...
Read more →

10 September 2014

I spent 25 years in the Washington, DC area, and during that time I became a National Public Radio junkie. I guess I still am. I recently listened to a report on a comprehensive study about how people in the workplace react to the news about a coworker that’s been diagnosed with breast cancer.[i] The results of the study shocked me. The worse the diagnoses and the closer employees physically worked to the diagnosed coworker, the less likely those working in close proximity were to seek cancer screening. Similarly, as the conversation about the complexities, costs, and potential breaches is...
Read more →

19 October 2012

With (ISC)² being a supporter of U.S. National Cyber Security Awareness Month every year since its inception, it strikes me that many more organizations are getting involved this year – maybe more than ever before. I asked myself what’s changed. Then, I realized I don’t care – I’m just glad that our society is shining a spotlight on helping vulnerable groups – especially children – understand the lasting consequences of their actions online – for themselves and for other people. As recent as last week, we were told of the heartbreaking suicide of a young girl in British Columbia as...
Read more →

18 May 2012

OPINION: A troubling article in Forbes raises concerns about how society takes care of those who raise legitimate, well-founded concerns about their employers. Aside from the specific legal decision in this particular case, there is a wider issue about protecting whistleblowers from retribution. If a whistleblowing employee makes allegations of serious impropriety by his employer, and those allegations are upheld, is it reasonable for him/her to insist on remaining employed by the organization? A few enlightened managements might swallow their pride and allow the whistleblowing employee to carry on normally in employment but I strongly suspect that in most cases...
Read more →

14 May 2012

An opinion piece regarding a possible US law change raises fascinating ethical questions about privacy rights. Whereas employers have some interest in what their employees are saying and doing in their personal/non-work time, employees also have reasonable expectations of privacy concerning their private lives: OPINION: On the battlefield of the Internet, the Privacy Platoon struck a clanging blow against the Transparency Brigade last week, when two members of Congress introduced the Social Networking Online Protection Act. The bill would bar employers from demanding job applicants' Facebook passwords - which recently has become an issue: The ACLU's Maryland branch championed the...
Read more →

17 August 2011

It has happened to me before, it will surely happen to me again. No matter how vigilant I am in protecting my credit card information, someone, somewhere, will somehow gain access to my credit card information and run up charges on my account. It is another form of identity theft. They are pretending to be me as they enjoy the fruits of my credit history (as meager as that might be) and adding to my debt load. To be certain, depending on the card, I won’t be held responsible for fraudulent charges. The legal limit is $50 if I regularly...
Read more →

17 June 2011

One of the best ways to combat identity theft is through the consistent monitoring of your credit report. Over the years, your credit report was a closely-guarded secret of the 3 major credit reporting agencies (Experian, TransUnion, and Equifax). You had to pay a fee to see your report and your rights were very limited as to what you could do about your report. However, Congress recognized several years ago that this did nothing but perpetuate identity theft and even hinder an individual’s ability to establish good credit. Today, you can request a credit report annually to monitor your history...
Read more →

24 January 2011

Is it ethically acceptable for workers to pinch the odd pencil or Post-It note from work, or is this just the thin end of the wedge that leads to fraud, theft, corruption, Enron and Global Economic Meltdown? It's a tricky issue when you factor in the difficulties of writing and enforcing corporate policies on ethics, the effects these have on the workforce, and the prospect of tacitly or even formally endorsing unethical and perhaps illegal behaviours through weak policies and lax attitudes towards compliance. It's also a cultural issue, which makes it fuzzy and complex both to characterise and even...
Read more →

05 May 2010

An interesting paper looking at the risks, risk management, and legal economics of breaches of privacy. Much of the material is fairly standard, but it also looks at different types of controls (such as preventative and recovery) in regard to data breaches, disclosure laws, and standards such as PCI DSS. Valuation of assets is also a factor. (Free download, as of this posting.)
Read more →

Patents are generally held to be granted on devices, or inventions. In recent years, United States patents have been granted on processes, and even software. "Patent Absurdity" is a half hour video outlining the dangers and difficulties surrounding the granting of software patents. The interviews take place around the "Bilski" case appeal before the Supreme Court. (The "Bilski" case decision is generally held to strike down software patents, but is still the subject of a good deal of debate.)
Read more →

26 January 2010

From the International Journal of Cyber Criminology, "Shariah Law and Cyber-Sectarian Conflict: How can Islamic Criminal Law respond to cyber crime?" This paper looks at the concepts in Islamic Shariah law that relate to specifically computer or information system related crimes. The paper is possibly not a complete examination, but is not hopeful as regards the ability to criminalize cybercrime. Also available as PDF.
Read more →

17 November 2009

The Open Security Foundation's (OSF) DataLossDB project is an interesting resource for information about data and confidentiality breaches. At a glance, it gives you news, latest breaches, a timeline of breach numbers, a "top ten" list, and other references you can use in security awareness materials, or for risk analysis.
Read more →

This article is originally from the IEEE Security and Privacy magazine, circa 2003. As such, some of the programs noted are out of date or obsolete. However, a number are still available and in use, and the basic concepts outlined are still valuable.
Read more →

15 November 2009

This paper, directed from the US White House, may be the structure for US information, networking, and infrastructure policy over the next seven years. While vague, it does give some indication of directions.
Read more →